Using the CLI to create a bucket with cross-region replication enabled

In this recipe, we will do something slightly different than in the previous recipe. Cross-region replication can be a very important aspect of a solid disaster recovery plan, and it is often a requirement for various compliance certifications.

The first thing to understand about using S3 with the CLI is that there are two separate executables: s3 and s3api. These provide access to different tiers of functionality:

  • We use s3 for simple high-level commands that are similar to Unix shell commands such as cp and ls.
  • We use s3api to get complete access to the functionality offered by the entire S3 REST API.

In this recipe, you will use both tiers to create and manipulate buckets:

  1. List all the buckets in your account with aws s3:
$ aws s3 ls
2019-02-02 17:43:46 cf-templates-1llvkn4p8d3dr-us-east-1
2019-02-11 16:38:29 cf-templates-1llvkn4p8d3dr-us-west-1
2019-03-01 04:14:05 ezb-packt-admin1-console
2019-02-08 19:25:18 mycloudtrailbucketstack-mycloudtrailbucket-bf8yqwecopwv
  1. Create a new bucket in us-east-1. This bucket will be the source of cross-region replication (replace the following bucket name with a globally unique name of your choosing):
$ aws s3 mb --region us-east-1 s3://YOUR-SOURCE-BUCKET
make_bucket: YOUR-SOURCE-BUCKET
  1. Create a separate bucket in us-west-1 to act as the target of the replication:
$ aws s3 mb --region us-west-1 s3://YOUR-TARGET-BUCKET
make_bucket: YOUR-TARGET-BUCKET

  1. Enable versioning on the source and target buckets:
$ aws s3api put-bucket-versioning 
    --bucket YOUR-SOURCE-BUCKET 
    --versioning-configuration Status=Enabled
$ aws s3api put-bucket-versioning 
    --bucket YOUR-TARGET-BUCKET 
    --versioning-configuration Status=Enabled
  1. Create a role that will allow S3 to replicate objects on your behalf. Copy the following code into a file called cr-role.json:
{
   "Statement": [{
      "Effect": "Allow",
      "Principal": {
         "Service": "s3.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
   }]
}
  1. Create the role:
$ aws iam create-role --role-name my-cr-role --assume-role-policy-document file://cr-role.json
  1. Attach a policy to the role that allows S3 access to the source and target buckets. Create a file called cr-policy.json, replacing the placeholders with your bucket names:
{
   "Statement":[
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetObjectVersionForReplication",
            "s3:GetObjectVersionAcl"
         ],
         "Resource": [
            "arn:aws:s3:::YOUR-SOURCE-BUCKET/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket",
            "s3:GetReplicationConfiguration"
         ],
         "Resource": [
            "arn:aws:s3:::YOUR-SOURCE-BUCKET"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags",
            "s3:GetObjectVersionTagging"

         ],
         "Resource": "arn:aws:s3:::YOUR-TARGET-BUCKET/*"
      }
   ]
}
  1. Attach the policy to the role:
$ aws iam put-role-policy --role-name my-cr-role --policy-name my-cr-role-policy --policy-document file://cr-policy.json
  1. Configure cross-region replication on the first bucket using aws s3api. This is a complex command that is much easier to handle if you use a JSON file as input. Luckily, there is a way to output a template skeleton to get you started. In the following code, I used put-bucket-replication, along with the --generate-cli-skeleton parameter, and redirected the output to a file so that I could open it with a text editor:
$ aws s3api put-bucket-replication --generate-cli-skeleton > pbr.json
$ vim pbr.json
  1. Much of the skeleton is optional, so the file can be simplified. Use the following content for pbr.json. Make sure to replace the values for your role and your target bucket:
{
  "Role": "YOUR-ROLE-ARN",
  "Rules": [{
        "Status": "Enabled",
        "Prefix": "",
        "Destination": {
            "Bucket": "arn:aws:s3:::YOUR-TARGET-BUCKET"
        }
  }]
}
  1. Apply the replication configuration to the buckets:
$ aws s3api put-bucket-replication 
    --replication-configuration file://pbr.json 
    --bucket YOUR-SOURCE-BUCKET
  1. Copy an object into the source bucket:
$ touch hello.txt
$ aws s3 cp hello.txt s3://YOUR-SOURCE-BUCKET
  1. List the contents of the target bucket to confirm that the object was replicated successfully. Note that this might take a few seconds as the replication is eventually consistent:
$ aws s3 ls s3://YOUR-TARGET-BUCKET
2019-03-05 04:20:53 0 hello.txt
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset